xml/web agent-a detected in Exchange Server 2016 CU 22

Question

xml/web agent-a detected in Exchange Server 2016 CU 22

Sachin Shinde 1

Hi,

We have Exchange Server 2016 CU 22 installed in our organisation. Sophos antivirus continuously detecting "xml/web agent-a" in 'inetpub/wwwroot' folder.

[PS] C:\Windows\system32>Get-Command Exsetup.exe | ForEach {$_.FileVersionInfo}

ProductVersion FileVersion FileName

15.01.2375.028 15.01.2375.028 D:\Program Files\Microsoft\Exchange Server\V15\bin\ExSetup.exe

Kindly suggest any patch to get clean completely above malware.

Thanks,
Sachin Shinde

Jame Xu-MSFT 4,191 Reputation points

2022-06-07T04:19:34.963+00:00
Hi @Sachin Shinde ,

We don't know much about your anti-virus software. We suggest you run Microsoft's anti-virus software for testing first.

Running Windows antivirus software on Exchange servers to see if the problem persists :
https://learn.microsoft.com/en-us/exchange/antispam-and-antimalware/windows-antivirus-software?view=exchserver-2016
The following is a document on how to exclude items from folders for reference only :
https://practical365.com/exchange-2016-antivirus-exclusions/
Microsoft provides third-party contact information to help you find additional information about this topic. This contact information may change without notice. Microsoft does not guarantee the accuracy of third-party contact information.

Microsoft's recommendation is to install the corresponding Exchange version of SU to update the patch. If you have not updated it, you can refer to the following link :
https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-microsoft-exchange-server-2016-and-2019-may-10-2022-kb5014261-cd5ecb59-a0eb-47ef-ae35-f62b13c8b817

If none of the above methods works, it may not be the problem of exchange. You need to ask whether the Sophos antivirus you installed can provide corresponding patches.
Jame Xu-MSFT 4,191 Reputation points

2022-06-16T07:01:48.487+00:00

Hi, I'm here to confirm with you if your issue has been resolved. If the problem is successfully solved, you can share your solution this will make answer searching in the forum easier and be beneficial to other community members as well.

3 answers

Your answer

Jame Xu-MSFT 4,191 Reputation points

2022-06-07T04:19:34.963+00:00

Hi @Sachin Shinde ,

We don't know much about your anti-virus software. We suggest you run Microsoft's anti-virus software for testing first.

Running Windows antivirus software on Exchange servers to see if the problem persists :
https://learn.microsoft.com/en-us/exchange/antispam-and-antimalware/windows-antivirus-software?view=exchserver-2016
The following is a document on how to exclude items from folders for reference only :
https://practical365.com/exchange-2016-antivirus-exclusions/
Microsoft provides third-party contact information to help you find additional information about this topic. This contact information may change without notice. Microsoft does not guarantee the accuracy of third-party contact information.

Microsoft's recommendation is to install the corresponding Exchange version of SU to update the patch. If you have not updated it, you can refer to the following link :
https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-microsoft-exchange-server-2016-and-2019-may-10-2022-kb5014261-cd5ecb59-a0eb-47ef-ae35-f62b13c8b817

If none of the above methods works, it may not be the problem of exchange. You need to ask whether the Sophos antivirus you installed can provide corresponding patches.
Jame Xu-MSFT 4,191 Reputation points

2022-06-16T07:01:48.487+00:00

Hi, I'm here to confirm with you if your issue has been resolved. If the problem is successfully solved, you can share your solution this will make answer searching in the forum easier and be beneficial to other community members as well.

Answer 1

Sachin Shinde 1

Hi,

We have Sophos Central & Sophos Endpoint antivirus installed. Sophos is detecting said malware & cleaning it. We run Microsoft Safety scanner on Exchange server, but it didn't found any virus. Also we checked vulnerability with EOMT.ps1 script and no vulnerability found. We noticed Sophos detected & cleaned same malware on 31st May 2022, 1st June 2022 & 6th June 2022 to same location. Do we require any further checking & what is behaviour of "xml/web agent-a" malware. What kind of impact it can cause.

Thanks,
Sachin Shinde

Jame Xu-MSFT 4,191 Reputation points

2022-06-07T09:22:27.377+00:00

Hi @Sachin Shinde ,
1.“C:\inetpub\wwwroot“ is the default local path for websites in IIS. In the test environment, I checked that there is no "xml/web Agent-a" in the “inetpub/wwwroot” path. It is outside the scope of exchange technical support. I found a related article for you. I hope it will help you.
https://stackify.com/what-is-inetpub/
Microsoft provides third-party contact information to help you find additional information about this topic. This contact information may change without notice. Microsoft does not guarantee the accuracy of third-party contact information.
2. About “Exsetup.exe” , which is a built-in executable file in Exchange, but this should not be the cause of the problem. The following link is for your reference:
http://windowsbulletin.com/files/exe/microsoft-corporation/microsoft-exchange-server-2007/exsetup-exe
Microsoft provides third-party contact information to help you find additional information about this topic. This contact information may change without notice. Microsoft does not guarantee the accuracy of third-party contact information.
If you have any other questions, please feel free to ask. We will try our best to help you.

Answer 2

Hi,

I have monitored that first below process or event runs then sophos cleans the virus. Event ID 1126

The Microsoft Exchange Mailbox Replication service failed to add the move history entry on the target mailbox after the move. The error was ignored.
Mailbox move: 'DB#72a3ce69-5c2d-4978-a7ff-26be15351be2\9372c651-f4fa-4bd1-8e58-52ca68c59dd8' (\127.0.0.1\c$\inetpub\wwwroot\aspnet_client\qvsyu.aspx (PST))
Database:
Error: Unable to open PST file '\127.0.0.1\c$\inetpub\wwwroot\aspnet_client\qvsyu.aspx'. Error details: Access to the path '\127.0.0.1\c$\inetpub\wwwroot\aspnet_client\qvsyu.aspx' is denied. --> Access to the path '\127.0.0.1\c$\inetpub\wwwroot\aspnet_client\qvsyu.aspx' is denied

The Microsoft Exchange Mailbox Replication service failed to add the move history entry on the target mailbox after the move. The error was ignored.
Mailbox move: 'DB#72a3ce69-5c2d-4978-a7ff-26be15351be2\5260b6b8-1233-411d-923f-ca6fb989c9d7' (\127.0.0.1\c$\inetpub\wwwroot\aspnet_client\wavlr.aspx (PST))
Database:
Error: Unable to open PST file '\127.0.0.1\c$\inetpub\wwwroot\aspnet_client\wavlr.aspx'. Error details: Access to the path '\127.0.0.1\c$\inetpub\wwwroot\aspnet_client\wavlr.aspx' is denied. --> Access to the path '\127.0.0.1\c$\inetpub\wwwroot\aspnet_client\wavlr.aspx' is denied.

Thanks,
Sachin Shinde

Answer 3

Sachin Shinde 1

Hi,
Also Test-ProxyLogon.ps1 & EOMT.ps1 scripts didn't find any vulnerability. NetworkMonitoring folder is automatically getting created in D drive. How we can clear if Exchange server 2016 CU22 is already infected.
This server we installed 2 weeks before only. Old exchange server with Exchange Server 2016 CU19 was spoofing mails, so we upgrade CU20 to CU22 to same server but still spoofing was happening. So 2 weeks before we install new hardware & migrate all users to new server. Is there any chances after hardware migration old malware impacts new hardware also. And what is behaviour of "xml/web agent-a" malware.

Thanks,
Sachin Shinde

Jame Xu-MSFT 4,191 Reputation points

2022-06-09T06:12:44.09+00:00

Hi @Sachin Shinde ,
No virus was detected in Exchange, and we are not sure about the credibility of the detection results of the anti-virus software you used. From the information you provided, it involves technical problems in IIS. I will add a IIS related tag. Thank you for your understanding.

Share via

xml/web agent-a detected in Exchange Server 2016 CU 22

3 answers

Your answer